Layer 2 Technologies – Virtual Local Area Network (VLAN)

vlan database

Use the vlan database Global Configuration mode command to enter the VLAN Configuration mode. This mode is used to create VLAN(s) and define the default VLAN.

Use the exit command to return to Global Configuration mode.

Syntax vlan database

Parameters

N/A

Default Configuration

VLAN 1 exists by default.

Command Mode

Global Configuration mode

Example

The following example enters the VLAN Configuration mode, creates VLAN 1972 and exits VLAN Configuration mode.

switchxxxxxx(config)# vlan database
switchxxxxxx(config-vlan)# vlan 1972
switchxxxxxx(config-vlan)# exit

vlan

Use the vlan VLAN Configuration mode or Global Configuration mode command to create a VLAN and assign it a name (if only a single VLAN is being created). Use the no form of this command to delete the VLAN(s).

Syntax

vlan vlan-range | {vlan-id [name vlan-name]} [media ethernet] [state active] no vlan vlan-range

Parameters

  • vlan-range—Specifies a list of VLAN IDs. Separate nonconsecutive VLAN IDs with a comma and no spaces. Use a hyphen to designate a range of IDs (range: 2-4094).
  • vlan-id—Specifies a VLAN ID. (range: 2-4094).
  • vlan-name—Specifies the VLAN name. (range: 1–32 characters).
  • media—Specifies the media type of the VLAN. Valid values are ethernet.
  • state—Specifies whether the state of the VLAN. Valid values are active.

Default Configuration

VLAN 1 exists by default.

Command Mode

Global Configuration mode

VLAN Database Configuration mode

User Guidelines

If the VLAN does not exist, it is created. If the VLAN cannot be created then the command is finished with error and the current context is not changed.

Example

The following example creates a few VLANs. VLAN 1972 is assigned the name Marketing.

switchxxxxxx(config)# vlan database
switchxxxxxx(config-vlan)# vlan 19-23
switchxxxxxx(config-vlan)# vlan 100
switchxxxxxx(config-vlan)# vlan 1972 name Marketing
switchxxxxxx(config-vlan)# exit

show vlan

Created by Sinan KizarLast updated 27 Mar , 2019

Use the show vlan Privileged EXEC mode command to display the following VLAN information.

Syntax

show vlan [tag vlan-id | name vlan-name]

Parameters

  • tag vlan-id—Specifies a VLAN ID.
  • name vlan-name—Specifies a VLAN name string (length: 1–32 characters)

Default Configuration

All VLANs are displayed.

Command Mode

Privileged EXEC mode

Examples

Example 1—The following example displays information for all VLANs:

switchxxxxxx# show vlan
 
Created by: S-Static, G-GVRP, R-Radius Assigned VLAN, V-Voice VLAN
 
VLAN     Name     Tagged Ports UnTagged Ports Created by ----- ----------- -------------- -------------- ----------
1Default te1/0/1S
10Marketingte1/0/2te1/0/2S
91 11te1/0/2-4te1/0/2SGR
  • 11 te1/0/3-4    G
  • 11 te1/0/3-4    GR

interface vlan

Created by Sinan KizarLast updated 27 Mar , 2019

Use the interface vlan Global Configuration mode command to enter the Interface Configuration (VLAN) mode for a specific VLAN. After this command is entered, all commands configure this VLAN.

Syntax

interface vlan vlan-id

Parameters

  • vlan-id—Specifies the VLAN to be configured.

Default Configuration

N/A

Command Mode

Global Configuration mode

User Guidelines

If the VLAN does not exist, the VLAN is created. If the VLAN cannot be created, this command is finished with an error and the current context is not changed.

Example

The following example configures VLAN 1 with IP address 131.108.1.27 and subnet mask 255.255.255.0.

switchxxxxxx(config)# interface vlan 1
 
switchxxxxxx(config-if)# ip address 131.108.1.27 255.255.255.0

interface range vlan

Use the interface range vlan Global Configuration mode command to configure multiple VLANs simultaneously.

Syntax interface range vlan vlan-range

Parameters

  • vlan-range—Specifies a list of VLANs. Separate nonconsecutive VLANs with a comma and no spaces. Use a hyphen to designate a range of VLANs.

Default Configuration

N/A

Command Mode

Global Configuration mode

User Guidelines

Commands under the interface VLAN range context are executed independently on each VLAN in the range. If the command returns an error on one of the VLANs, an error message is displayed, and the system attempts to configure the remaining VLANs.

Example

The following example groups VLANs 221 through 228 and 889 to receive the same command(s).

switchxxxxxx(config)# interface range vlan 221-228, vlan 889

name

Use the name Interface Configuration (VLAN) mode command to name a VLAN. Use the no form of this command to remove the VLAN name.

Syntax name string no name

Parameters

  • string—Specifies a unique name associated with this VLAN. (Length: 1–32 characters).

Default Configuration No name is defined.

Command Mode

Interface (VLAN) Configuration mode

User Guidelines

The VLAN name must be unique.

Example

The following example assigns VLAN 19 the name Marketing.

switchxxxxxx(config)# interface vlan 19
switchxxxxxx(config-if)# name Marketing

switchport protected-port

Use the switchport protected-port Interface Configuration mode command to isolate Unicast, Multicast, and Broadcast traffic at Layer 2 from other protected ports on the same switch. Use the no form of this command to disable protection on the port.

Syntax

switchport protected-port no switchport protected-port

Parameters

N/A

Default Configuration

Unprotected

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

Note that packets are subject to all filtering rules and Filtering Database (FDB) decisions.

Use this command to isolate Unicast, Multicast, and Broadcast traffic at Layer 2 from other protected ports (that are not associated with the same community as the ingress interface) on the same switch. Please note that the packet is still subject to FDB decision and to all filtering rules.

Use the switchport community Interface Configuration command to associate the interface with a community.

Example

switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# switchport protected-port

show interfaces protected-ports

Use the show interfaces protected-ports EXEC mode command to display protected ports configuration.

Syntax

show interfaces protected-ports [interface-id | detailed]

Parameters

  • interface-id—Specifies an interface ID. The interface ID can be one of the following types: Ethernet port or port-channel.
  • detailed—Displays information for non-present ports in addition to present ports.

Default Configuration

Show all protected interfaces. If detailed is not used, only present ports are displayed.

Command Mode

User EXEC mode

Example

switchxxxxxx# show interfaces protected-ports
Interface ——–te1/0/1 te1/0/2 te1/0/3 te1/0/4State————-ProtectedProtectedUnprotectedUnprotectedCommunity———1Isolated 20Isolated

switchport community

Use the switchport community Interface Configuration mode command to associate a protected port with a community. Use the no form of this command to return to the default.

Syntax

switchport community community no switchport community

Parameters

  • community—Specifies the community number. (range: 1 – 31).

Default Configuration

The port is not associated with a community.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

The command is relevant only when the port is defined as a protected port. Use the switchport protected-port Interface Configuration command to define a port as a protected port.

Example

switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# switchport community 1

switchport

Use the switchport Interface Configuration mode command to put an interface that is in Layer 3 mode into Layer 2 mode. Use the no form of this command to put an interface in Layer 3 mode.

Syntax switchport no switchport

Parameters

N/A

Default Configuration

Layer 2 mode

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

Use the no switchport command to set the interface as a Layer 3 interface.

An interface cannot be set as a Layer 3 interface if 802x.1 is enabled on the interface and one of the following conditions is true:

  • The host mode differs from multi-host.
  • MAC-Based or WEB-Based authentication is enabled.
  • Radius VLAN assignment is enabled.

Examples

Example 1 – The following example puts the port te1/0/1 into Layer 2 mode.

switchxxxxxx(config)# interface te1/0/1 
switchxxxxxx(config-if)# switchport

Example 2 – The following example puts the port te1/0/1 into Layer 3 mode.

switchxxxxxx(config)# interface te1/0/1 
switchxxxxxx(config-if)# no switchport

switchport mode

Use the switchport mode Interface Configuration mode command to configure the VLAN membership mode. Use the no form of this command to restore the default configuration.

Syntax

switchport mode access | trunk | general | private-vlan {promiscuous | host} | customer no switchport mode

Parameters

  • access—Specifies an untagged layer 2 VLAN port.
  • trunk—Specifies a trunking layer 2 VLAN port.
  • general—Specifies a full 802-1q-supported VLAN port.
  • customer—Specifies that an edge port connected to customer equipment. Traffic received from this port will be tunneled with the additional 802.1q VLAN tag (Q-in-Q VLAN tunneling).
  • private-vlan promiscuous—Private-VLAN promiscuous port.
  • private-vlan host—Private-VLAN host port.

Default Configuration Access mode.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

When the port’s mode is changed, it receives the configuration corresponding to the mode.

If the port mode is changed to access and the access VLAN does not exist, then the port does not belong to any VLAN.

The following features cannot be enabled if vlan-mapping is allowed:

  • IPv4 routing
  • Voice VLAN

The switchport vlan-mapping commands cannot add a port to a S-VLAN.

IPv4 and IPv6 interfaces cannot be defined on VLANs containing edge interfaces.

The following Layer 2 features are not supported into VLANs containing edge interfaces:

  • IGMP Snooping
  • MLD Snooping
  • DHCP Snooping

Examples

Example 1 – The following example configures te1/0/1 as an access port (untagged layer 2) VLAN port.

switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# switchport mode access
switchxxxxxx(config-if)# switchport access vlan 2

Example 2 – The following example puts the port te1/0/2 into private-vlan host mode.

switchxxxxxx(config)# interface te1/0/2
switchxxxxxx(config-if)# switchport mode private-vlan host

switchport access vlan

A port in access mode can be an untagged member of at most a single VLAN. The switchport access vlan Interface Configuration command reassigns an interface to a different VLAN than it currently belongs or assigns it to none, in which case it is not a member of any VLAN.

The no form of this command to restore the default configuration.

Syntax

switchport access vlan {vlan-id | none} no switchport access vlan

Parameters

  • vlan-id—Specifies the VLAN to which the port is configured.
  • none—Specifies that the access port cannot belong to any VLAN.

Default Configuration

The interface belongs to the Default VLAN.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

When the port is assigned to a different VLAN, it is automatically removed from its previous VLAN and added it to the new VLAN. If the port is assigned to none, it is removed from the previous VLAN and not assigned to any other VLAN.

A non-existed VLAN can be assigned as an Access VLAN. If the Access VLAN does not exist the show interfaces switchport command adds text “(Inactive)” after VLAN ID.

Example

The following example assigns access port te1/0/1 to VLAN   2 (and removes it from its previous VLAN).

switchxxxxxx(config)# interface te1/0/2
switchxxxxxx(config-if)# switchport mode access
switchxxxxxx(config-if)# switchport access vlan 2

switchport trunk allowed vlan

A trunk interface is an untagged member of a single VLAN, and, in addition, it may be an tagged member of one or more VLANs. Use the switchport trunk allowed vlan Interface Configuration mode command to add/remove VLAN(s) to/from a trunk port. Use the no form of the command to return to the default.

Syntax

switchport trunk allowed vlan {all | none | add vlan-list | remove vlan-list | except

vlan-list}

no switchport trunk allowed vlan

Parameters

  • all—Specifies all VLANs from 1 to 4094. At any time, the port belongs to all VLANs existing at the time. (range: 1–4094).
  • none—Specifies an empty VLAN list The port does not belong to any VLAN.
  • add vlan-list—List of VLAN IDs to add to the port. Separate nonconsecutive VLAN IDs with a comma and no spaces. Use a hyphen to designate a range of IDs.
  • remove vlan-list—List of VLAN IDs to remove from a port. Separate nonconsecutive VLAN IDs with a comma and no spaces. Use a hyphen to designate a range of IDs.
  • except vlan-list—List of VLAN IDs including all VLANs from range 1-4094 except VLANs belonging to vlan-list.

Default Configuration

By default, trunk ports belongs to all created VLANs.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

Use the switchport trunk allowed vlan command to specify which VLANs the port belongs to when its mode is configured as trunk.

Non-existed VLANs can be configured. When a non-existed VLAN is created the port will add to it automatically.

Forbidden VLANs can be configured.

Example

To add VLANs 2,3 and 100 to trunk ports 1 to 13

switchxxxxxx(config)# interface range te1/0/1-3
switchxxxxxx(config-if)# switchport mode trunk
switchxxxxxx(config-if)# switchport trunk allowed vlan add 2-3,100
switchxxxxxx(config-if)# exit

switchport trunk native vlan

If an untagged packet arrives on a trunk port, it is directed to the port’s native VLAN. Use the switchport trunk native vlan Interface Configuration mode command to define the native VLAN for a trunk interface. Use the no form of this command to restore the default native VLAN.

Syntax

switchport trunk native vlan {vlan-id | none} no switchport trunk native vlan

Parameters

  • vlan-id—Specifies the native VLAN ID.
  • none—Specifies the access port cannot belong to any VLAN.

Default Configuration

The default native VLAN is the Default VLAN.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

A value of the interface PVID is set to this VLAN ID.When the interface belongs to the Native VLAN it is set as VLAN untagged egress interface.

The configuration is applied only when the port mode is trunk.

Examples

The following example defines VLAN 2 as native VLAN for port te1/0/1:

switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# switchport trunk native vlan 2
switchxxxxxx(config-if)# exit

switchport general allowed vlan

General ports can receive tagged or untagged packets. Use the switchport general allowed vlan Interface Configuration mode command to add/remove VLANs to/from a general port and configure whether packets on the egress are tagged or untagged. Use the no form of this command to reset to the default.

Syntax

switchport general allowed vlan add vlan-list [tagged | untagged] switchport general allowed vlan remove vlan-list no switchport general allowed vlan

Parameters

  • add vlan-list—List of VLAN IDs to add. Separate nonconsecutive VLAN IDs with a comma and no spaces. Use a hyphen to designate a range of IDs. (range: 1–4094)
  • remove vlan-list—List of VLAN IDs to remove. Separate nonconsecutive VLAN IDs with a comma and no spaces. Use a hyphen to designate a range of IDs.
  • tagged—Specify that packets are transmitted tagged for the configured VLANs
  • untagged—Specify that packets are transmitted untagged for the configured VLANs (this is the default)

Default Configuration

The port is not a member of any VLAN.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

If the interface is a forbidden member of an added VLAN, the interface does not become a member of this specific VLAN. There will be an error message in this case (“An interface cannot become a a member of a forbidden VLAN. This message will only be displayed once.”) and the command continues to execute in case if there are more VLANs in the vlan-list.

A non-existed VLAN cannot be configured. When a VLAN is removed it is deleted from the vlan-list.

The configuration is applied only when the port mode is general.

Example

The example adds te1/0/1 and to VLAN 2 and 3. Packets are tagged on the egress:

switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# switchport general allowed vlan add 2-3 tagged

switchport general pvid

Use the switchport general pvid Interface Configuration mode command to configure the Port VLAN ID (PVID) of an interface when it is in general mode. Use the no form of this command to restore the default configuration.

Syntax

switchport general pvid vlan-id no switchport general pvid

Parameters

  • vlan-id—Specifies the Port VLAN ID (PVID).

Default Configuration

The PVID is the Default VLAN PVID.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

Examples

Example 1 – The following example sets the te1/0/2 PVID to 234.

switchxxxxxx(config)# interface te1/0/2 
switchxxxxxx(config-if)# switchport general pvid 234

Example 2 – The following example performs the following:

  • Adds VLANs 2&3 as tagged, and VLAN 100 as untagged to te1/0/4
  • Defines VID 100 as the PVID
switchxxxxxx(config)# interface te1/0/4
switchxxxxxx(config-if)# switchport mode general
switchxxxxxx(config-if)#  switchport general allowed vlan add 2-3 tagged
switchxxxxxx(config-if)# switchport general allowed vlan add 100 untagged
switchxxxxxx(config-if)# switchport general pvid 100
switchxxxxxx(config-if)# exit

switchport general ingress-filtering disable

Use the switchport general ingress-filtering disable Interface Configuration mode command to disable port ingress filtering (no packets are discarded at the ingress) on a general port. Use the no form of this command to restore the default configuration.

Syntax

switchport general ingress-filtering disable no switchport general ingress-filtering disable

Parameters

N/A

Default Configuration

Ingress filtering is enabled.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

Example

The following example disables port ingress filtering on te1/0/1.

switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# switchport mode general
switchxxxxxx(config-if)# switchport general ingress-filtering disable

switchport general acceptable-frame-type

The switchport general acceptable-frame-type Interface Configuration mode command configures the types of packets (tagged/untagged) that are filtered (discarded) on the interface. Use the no form of this command to return ingress filtering to the default.

Syntax

switchport general acceptable-frame-type {tagged-only | untagged-only | all} no switchport general acceptable-frame-type

Parameters

  • tagged-only—Ignore (discard) untagged packets and priority-tagged packets.
  • untagged-only—Ignore (discard) VLAN-tagged packets (not including priority-tagged packets)
  • all—Do not discard packets untagged or priority-tagged packets.

Default Configuration

All frame types are accepted at ingress (all).

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

Example

The following example configures port te1/0/3 to be in general mode and to discard untagged frames at ingress.

switchxxxxxx(config)# interface te1/0/3
switchxxxxxx(config-if)# switchport mode general
switchxxxxxx(config-if)# switchport general acceptable-frame-type tagged-only

switchport general forbidden vlan

Use the switchport general forbidden vlan Interface Configuration mode command to forbid adding/removing specific VLANs to/from a port. Use the no form of this command to restore the default configuration.

Syntax

switchport general forbidden vlan {add vlan-list | remove vlan-list} no switchport general forbidden vlan

Parameters

  • add vlan-list—Specifies a list of VLAN IDs to add to interface. Separate nonconsecutive VLAN IDs with a comma and no spaces. Use a hyphen to designate a range of IDs.
  • remove vlan-list—Specifies a list of VLAN IDs to remove from interface. Separate nonconsecutive VLAN IDs with a comma and no spaces. Use a hyphen designate a range of IDs.

Default Configuration

All VLANs are allowed.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

The forbidden VLAN cannot be one that does not exist on the system, or one that is already defined on the port.

Example

The following example define s te1/0/4 as a forbidden membership in VLANs 5-7:

switchxxxxxx(config)# interface te1/0/4
switchxxxxxx(config-if)# switchport general forbidden vlan add 5-7
switchxxxxxx(config-if)# exit

switchport customer vlan

Use the switchport customer vlan Interface Configuration mode command to set the port’s VLAN when the interface is in customer mode (set by the switchport mode command). Use the no form of this command to restore the default configuration.

Syntax

switchport customer vlan vlan-id no switchport customer vlan

Parameters

  • vlan-id—Specifies the customer VLAN.

Default Configuration

No VLAN is configured as customer.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

When a port is in customer mode it is in QinQ mode. This enables the user to use their own VLAN arrangements (PVID) across a provider network. The switch is in QinQ mode when it has one or more customer ports.

Example

The following example defines te1/0/4 as a member of customer VLAN 5.

switchxxxxxx(config)# interface te1/0/4
switchxxxxxx(config-if)# switchport mode customer
switchxxxxxx(config-if)# switchport customer vlan 5

switchport protected

Use the switchport protected Interface Configuration mode command to override the Filtering Database (FDB) decision, and send all Unicast, Multicast and Broadcast traffic to an uplink port. Use the no form of this command to disable overriding the FDB decision.

Syntax

switchport protected interface-id no switchport protected

Parameters

  • interface-id—Specifies an interface ID. The interface ID can be one of the following types: Ethernet port or port-channel.

Default Configuration

Switchport protected mode is disabled.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

This command overrides the FDB decision, and forwards packets to the uplink. Note that the packet is still subject to all filtering decisions.

A protected port cannot be a member of a VLAN with an IP interface.

Example

This example configures te1/0/2 s a protected port, so that all traffic is sent to its uplink (te1/0/3).

switchxxxxxx(config)# interface te1/0/2
switchxxxxxx(config-if)# switchport protected te1/0/3

map protocol protocols-group

Use the map protocol protocols-group VLAN Configuration mode command to map a protocol to a group of protocols. This protocol group can then be used in switchport general map protocols-group vlan. Use the no form of this command to delete a protocol from a group.

Syntax

map protocol protocol [encapsulation-value] protocols-group group no map protocol protocol [encapsulation]

Parameters

  • protocol—Specifies a 16-bit protocol number or one of the reserved names listed in the User Guidelines. (range: 0x0600–0xFFFF)
  • encapsulation-value—Specifies one of the following values: Ethernet, rfc1042, llcOther.
  • protocols-group group—Specifies the group number of the group of protocols (range: 1–2147483647).

Default Configuration

The default encapsulation value is Ethernet.

Command Mode

VLAN Database Configuration mode

User Guidelines

Forwarding of packets based on their protocol requires setting up groups of protocols and then mapping these groups to VLANs.

The value 0x8100 is not valid as the protocol number for Ethernet encapsulation.

The following protocol names are reserved for Ethernet Encapsulation:

  • ip
  • arp
  • ipv6
  • ipx

Example

The following example maps the IP protocol to protocol group number 213.

switchxxxxxx(config)# vlan database
switchxxxxxx(config-vlan)# map protocol ip protocols-group 213

switchport general map protocols-group vlan

Use the switchport general map protocols-group vlan Interface Configuration mode command to forward packets based on their protocol, otherwise known as setting up a classifying rule. This command forwards packets arriving on an interface containing a specific protocol to a specific VLAN. Use the no form of this command to stop forwarding packets based on their protocol.

Syntax

switchport general map protocols-group group vlan vlan-id no switchport general map protocols-group group

Parameters

  • group—Specifies the group number as defined in map protocol protocols-group command (range: 1–65535).
  • vlan-id—Defines the VLAN ID in the classifying rule.

Default Configuration

N/A

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

The VLAN classification rule priorities are:

  • MAC-based VLAN (best match among the rules)
  • Subnet-based VLAN (best match among the rules)
  • Protocol-based VLAN
  • PVID

Example

The following example forwards packets with protocols belong to protocol-group 1 to VLAN 8.

switchxxxxxx(config-if)# switchport general map protocols-group 1 vlan 8

show vlan protocols-groups

Use the show vlan protocols-groups EXEC mode command to display the protocols that belong to the defined protocols-groups.

Syntax show vlan protocols-groups

Parameters

N/A

Default Configuration

N/A

Command Mode

User EXEC mode

Example

The following example displays protocols-groups information.

switchxxxxxx# show vlan protocols-groups
Encapsulation————-Ethernet Ethernet EthernetEthernetProtocol————–0x800 (IP)0x806 (ARP)0x86dd (IPv6)0x8898Group ID——–1123

map mac macs-group

Use the map mac macs-group VLAN Configuration mode command to map a MAC address or range of MAC addresses to a group of MAC addresses. Use the no form of this command to delete the mapping.

Syntax

map mac mac-address {prefix-mask | host} macs-group group no map mac mac-address {prefix-mask | host}

Parameters

  • mac-address—Specifies the MAC address to be mapped to the group of MAC addresses.
  • prefix-mask—Specifies the number of ones in the mask.
  • host—Specifies that the mask is comprised of all 1s.
  • group—Specifies the group number (range: 1–2147483647)

Default Configuration

N/A

Command Mode

VLAN Database Configuration mode

User Guidelines

Forwarding of packets based on their MAC address requires setting up groups of MAC addresses and then mapping these groups to VLANs.

Up to 256 MAC addresses (host or range) can be mapped to one or many MAC-based VLAN groups.

Example

The following example creates two groups of MAC addresses, sets a port to general mode and maps the groups of MAC addresses to specific VLANs.

switchxxxxxx(config)# vlan database
switchxxxxxx(config-vlan)# map mac 0000.1111.0000 32 macs-group 1
switchxxxxxx(config-vlan)# map mac 0000.0000.2222 host macs-group 2
switchxxxxxx(config-vlan)# exit switchxxxxxx(config)# interface te1/0/4
switchxxxxxx(config-if)# switchport mode general
switchxxxxxx(config-if)# switchport general map macs-group 1 vlan 2
switchxxxxxx(config-if)# switchport general map macs-group 2 vlan 3

switchport general map macs-group vlan

Use the switchport general map macs-group vlan Interface Configuration mode command to set a MAC-based classification rule. Use the no form of this command to delete a classification rule.

Syntax

switchport general map macs-group group vlan vlan-id no switchport general map macs-group group

Parameters

  • group—Specifies the group number (range: 1–2147483647)
  • vlan-id—Defines the VLAN ID associated with the rule.

Default Configuration

N/A

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

MAC-based VLAN rules cannot contain overlapping ranges on the same interface.

The VLAN classification rule priorities are:

  • MAC-based VLAN (best match among the rules)
  • Subnet-based VLAN (best match among the rules)
  • Protocol-based VLAN
  • PVID

User Guidelines

After groups of MAC addresses have been created (see the map mac macs-group command), they can be mapped to specific VLANs.

Each MAC address (host or range) in the MAC-based group assigned to an interface consumes a single TCAM entry.

Example

The following example creates two groups of MAC addresses, sets a port to general mode and maps the groups of MAC addresses to specific VLANs.

switchxxxxxx(config)# vlan database
switchxxxxxx(config-vlan)# map mac 0000.1111.0000 32 macs-group 1
switchxxxxxx(config-vlan)# map mac 0000.0000.2222 host macs-group 2
switchxxxxxx(config-vlan)# exit switchxxxxxx(config)# interface te1/0/4
switchxxxxxx(config-if)# switchport mode general
switchxxxxxx(config-if)# switchport general map macs-group 1 vlan 2
switchxxxxxx(config-if)# switchport general map macs-group 2 vlan 3

show vlan macs-groups

Use the show vlan macs-groups EXEC mode command to display the MAC addresses that belong to the defined MAC-based classification rules.

Syntax show vlan macs-groups

Parameters

N/A

Default Configuration

N/A

Command Mode

User EXEC mode

Example

The following example displays defined MAC-based classification rules.

switchxxxxxx# show vlan macs-groups
 
MAC Address              Mask                Group ID
 
--------------------- --------------------- ---------------------
 
00:12:34:56:78:90            20                    22
 
00:60:70:4c:73:ff            40                    1

map subnet subnets-group

Use the map subnet subnets-group VLAN Configuration mode command to map an IP subnet to a group of IP subnets. Use the no form of this command to delete the map.

Syntax

map subnet ip-address prefix-mask subnets-group group no map subnet ip-address prefix-mask

Parameters

  • ip-address—Specifies the IP address prefix of the subnet to be mapped to the group.
  • prefix-mask—Specifies the number of 1s in the mask.
  • group—Specifies the group number. (range: 1–2147483647)

Default Configuration

N/A

Command Mode

VLAN Database Configuration mode

User Guidelines

Forwarding of packets based on their IP subnet requires setting up groups of IP subnets and then mapping these groups to VLANs.

Example

The following example maps an IP subnet to the group of IP subnets 4. It then maps this group of IP subnets to VLAN 8

switchxxxxxx(config)# vlan database
switchxxxxxx(config-vlan)# map subnet 172.16.1.1 24 subnets-group 4
switchxxxxxx(config-vlan)# switchport general map subnets-group 4 vlan 8

switchport general map subnets-group vlan

Use the switchport general map subnets-group vlan Interface Configuration mode command to set a subnet-based classification rule. Use the no form of this command to delete a subnet-based classification rule.

Syntax

switchport general map subnets-group group vlan vlan-id no switchport general map subnets-group group

Parameters

  • group—Specifies the group number. (range: 1–2147483647)
  • vlan-id—Defines the VLAN ID associated with the rule.

Default Configuration

N/A

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

The VLAN classification rule priorities are:

  • MAC-based VLAN (Best match among the rules)
  • Subnet-based VLAN (Best match among the rules)
  • Protocol-based VLAN
  • PVID

Example

The following example maps an IP subnet to the group of IP subnets 4. It then maps this group of IP subnets to VLAN 8

switchxxxxxx(config)# vlan database
switchxxxxxx(config-vlan)# map subnet 172.16.1.1 24 subnets-group 4
switchxxxxxx(config-vlan)# switchport general map subnets-group 4 vlan 8

show vlan subnets-groups

Use the show vlan subnets-groups EXEC mode command to display subnets-groups information.

Syntax show vlan subnets-groups

Parameters

N/A

Default Configuration

N/A

Command Mode

User EXEC mode

Example

The following example displays subnets-groups information.

switchxxxxxx# show vlan subnets-groups
 
IP Subnet Address    Mask        Group ID
 
----------------- ----------- --------------
 
1.1.1.1          32            1
 
172.16.2.0         24            2

show interfaces switchport

Use the show interfaces switchport Privileged EXEC command to display the administrative and operational status of all interfaces or a specific interface.

Syntax

show interfaces switchport [interface-id]

Parameters

  • Interface-id—Specifies an interface ID. The interface ID can be one of the following types: Ethernet port or port-channel.

Command Mode

Privileged EXEC mode

Default

Displays the status of all interfaces.

User Guidelines

Each port mode has its own private configuration. The show interfaces switchport command displays all these configurations, but only the port mode configuration that corresponds to the current port mode displayed in “Administrative Mode” is active.

Example

switchxxxxxx# show interfaces switchport te1/0/1
 
Gathering information...
 
Name: te1/0/1
 
Switchport: enable
 
Administrative Mode: access
 
Operational Mode: down
 
Access Mode VLAN: 1
 
Access Multicast TV VLAN: none
 
Trunking Native Mode VLAN: 1
 
Trunking VLANs: 1
 
2-4094 (Inactive)
 
General PVID: 1
 
General VLANs: none
 
General Egress Tagged VLANs: none
 
General Forbidden VLANs: none
 
General Ingress Filtering: enabled
 
General Acceptable Frame Type: all
 
General GVRP status: Enabled
 
General GVRP VLANs: none
 
Customer Mode VLAN: none
 
Private-vlan promiscuous-association primary VLAN: none
 
Private-vlan promiscuous-association Secondary VLANs: none
 
Private-vlan host-association primary VLAN: none
 
Private-vlan host-association Secondary VLAN: none
 
Protected: Enabled, Uplink is te1/0/1 Classification rules:
 
Classification Type   Group ID   VLAN ID
 
-------------------   --------   -------
 
Protocol                   1        19
 
Protocol                   1        20
 
Protocol                   2        72
 
Subnet                     1        15
 
MAC                        1        77

private-vlan

Use the private-vlan Interface VLAN Configuration mode command to configure a private VLAN. Use the no form of this command to return the VLAN to normal VLAN configuration.

Syntax

private-vlan {primary | community | isolated} no private-vlan

Parameters

  • primary—Designate the VLAN as a primary VLAN.
  • community—Designate the VLAN as a community VLAN.
  • isolated—Designate the VLAN as an isolated VLAN.

Default Configuration

No private VLANs are configured.

Command Mode

Interface (VLAN) Configuration mode

User Guidelines

  • The VLAN type cannot be changed if there is a private VLAN port that is a member in the VLAN.
  • The VLAN type cannot be changed if it is associated with other private VLANs. The VLAN type is not kept as a property of the VLAN when the VLAN is deleted.

Example

The following example set vlan 2 to be primary vlan:

switchxxxxxx(config)# interface vlan 2
switchxxxxxx(config-if)# private-vlan primary

private-vlan association

Use the private-vlan association Interface VLAN Configuration mode command to configure the association between the primary VLAN and secondary VLANs. Use the no form of this command to remove the association.

Syntax

private-vlan association [add | remove] secondary-vlan-list no private-vlan association

Parameters

  • add secondary-vlan-list—List of VLAN IDs of type secondary to add to a primary VLAN. Separate nonconsecutive VLAN IDs with a comma and no spaces. Use a hyphen to designate a range of IDs.This is the default action.
  • remove secondary-vlan-list—List of VLAN IDs of type secondary to remove association from a primary VLAN. Separate nonconsecutive VLAN IDs with a comma and no spaces. Use a hyphen to designate a range of IDs.

Default Configuration

No private VLANs are configured.

Command Mode

Interface (VLAN) Configuration mode

User Guidelines

  • The command can only be executed in the context of the primary VLAN.
  • A private VLAN cannot be removed or have its type changed, if it is associated with other private VLANs.
  • A primary VLAN can be associated with only a single, isolated VLAN.
  • A secondary VLAN can be associated with only one primary VLAN.
  • The association of secondary VLANs with a primary VLAN cannot be removed if there are private VLAN ports that are members in the secondary VLAN.
  • In MSTP mode, all the VLANs that are associated with a private VLAN must be mapped to the same instance.

Example

The following example associate secondary VLAN 20,21,22 and 24 to primary VLAN 2.

switchxxxxxx(config)# interface vlan 2
switchxxxxxx(config-if)# private-vlan association add 20-22,24

switchport private-vlan mapping

Use the switchport private-vlan mapping Interface Configuration mode command to configure the VLANs of the private VLAN promiscuous port. Use the no form of this command to reset to default.

Syntax

switchport private-vlan mapping primary-vlan-id [add | remove]

secondary-vlan-list no switchport private-vlan mapping

Parameters

  • primary-vlan-id —The VLAN ID of the primary VLAN.
  • add secondary-vlan-list—Specifies one or more secondary VLANs to be added to the port.
  • remove secondary-vlan-list—Specifies one or more secondary VLANs to be removed from the port.

Default Configuration

No VLAN is configured.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

The secondary VLANs should be associated with the primary VLANs, otherwise the configuration is not accepted.

Example

The following example add promiscuous port te1/0/4 to primary VLAN 10 and to secondary VLAN 20.

switchxxxxxx(config)# interface te1/0/4
switchxxxxxx(config-if)# switchport private-vlan mapping 10 add 20

switchport private-vlan host-association

Use the switchport private-vlan host-association Interface Configuration mode command to configure the association of a host port with primary and secondary VLANs of the private VLAN. Use the no form of this command to reset to default.

Syntax

switchport private-vlan host-association primary-vlan-id secondary-vlan-id no switchport private-vlan host-association

Parameters

  • primary-vlan-id—The VLAN ID of the primary VLAN. • secondary-vlan-id—Specifies the secondary VLAN.

Default Configuration No association.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

The secondary VLAN must be associated with the primary VLAN, otherwise the configuration is not accepted. See the private-vlan association command.

The port association configuration depends on the type of the secondary VLAN.

The port association configuration for a community secondary VLAN includes: • The port is added as untagged to the primary VLAN and to the secondary VLAN.

  • The PVID is set to the VLAN-ID of the secondary VLAN.
  • The port ingress filtering is enabled.

The port association configuration for an isolated secondary VLAN includes: • The port is added as untagged only to the primary VLAN and is not added to the secondary VLAN.

  • The PVID is set to the VLAN-ID of the secondary VLAN.
  • The port ingress filtering is disabled.

Example

The following example set port te1/0/4 to secondary VLAN 20 in primary VLAN 10.

switchxxxxxx(config)# interface te1/0/4
switchxxxxxx(config-if)# switchport private-vlan host-association 10 20

show vlan private-vlan

Use the show vlan private-vlan EXEC mode command to display private VLAN information.

Syntax

show vlan private-vlan [tag vlan-id]

Parameters

  • tag vlan-id—Primary VLAN that represent the private VLAN to be displayed.

Default Configuration

All private VLANs are displayed.

Command Mode

User EXEC mode

User Guidelines

The show vlan private-vlan command does not include non-private VLAN ports that are members in private VLANs. Tag parameters of non-primary VLAN will result in an empty show output.

Example

switchxxxxxx# show vlan private-vlan
 
Primary    Secondary     Type             Ports
 
----------- ----------- ----------- ----------------------
 
150                   primary           te1/0/1
 
150         151       isolated          te1/0/2
 
160                   primary           te1/0/3     160         161       community         te1/0/4
 
switchxxxxxx# show vlan private-vlan 150
 
Primary    Secondary     Type             Ports
 
----------- ----------- ----------- ----------------------
 
150                   primary           te1/0/1
 
150         151       isolated          te1/0/4

switchport access multicast-tv vlan

To assign a Multicast-TV VLAN to an access port, use the switchport access multicast-tv vlan command in Interface (Ethernet, Port Channel) Configuration mode. To return to the default, use the no format of the command.

Syntax

switchport access multicast-tv vlan vlan-id no switchport access multicast-tv vlan

Parameters

  • vlan-id—Specifies the Multicast TV VLAN ID.

Default Configuration

Receiving Multicast transmissions is disabled.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

When the port is assigned to a different Multicast-TV VLAN, it is automatically removed from its previous VLAN and added it to the new Multicast-TV VLAN.

When an existed Multicast-TV VLAN is assigned to an access port, the multicast messages received on a membership of the Multicast-TV VLAN are forwarded to the access port. All messages received on the access port are bridged only into its Access VLAN.

To register IGMP reports arriving on the access port by IGMP Snooping running on the Multicast-TV VLAN, use the ip igmp snooping map cpe vlan command.

A non-existed VLAN can be assigned as a Multicast-TV VLAN. If the Multicast-TV VLAN does not exist the show interfaces switchport command adds text “(Inactive)” after VLAN ID.

Example

The following example enables te1/0/4 to receive Multicast transmissions from VLAN 11.

switchxxxxxx(config)# interface te1/0/4
switchxxxxxx(config-if)# switchport access multicast-tv vlan 11

switchport customer multicast-tv vlan

To assign Multicast-TV VLANs to a customer port, use the switchport customer multicast-tv vlan command in Interface (Ethernet, Port Channel) Configuration mode. To return to the default, use the no format of the command.

Syntax

switchport customer multicast-tv vlan {add vlan-list | remove vlan-list}

Parameters

  • add vlan-list—Specifies a list of Multicast TV VLANs to add to interface.
  • remove vlan-list—Specifies a list of Multicast TV VLANs to remove from interface.

Default Configuration

The port is not a member in any Multicast TV VLAN.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

When an existed Multicast-TV VLAN is assigned to a customer port, the multicast messages received on a membership of the Multicast-TV VLAN are forwarded to the customer port. All messages received on the customer port are not bridged only into the Multicast-TV VLAN.

To register IGMP reports arriving on the customer port by IGMP Snooping running on the Multicast-TV VLAN, use the ip igmp snooping map cpe vlan command.

A non-existed VLAN can be assigned as a Multicast-TV VLAN. If the Multicast-TV VLAN does not exist the show interfaces switchport command adds text “(Inactive)” after VLAN ID.

Example

The following example enables te1/0/4 to receive Multicast transmissions from VLANs 5, 6, 7.

switchxxxxxx(config)# interface te1/0/4
switchxxxxxx(config-if)# switchport customer multicast-tv vlan add 5-7

show vlan multicast-tv

Use the show vlan Multicast-tv EXEC mode command to display the source and receiver ports of Multicast-TV VLAN. Source ports can transmit and receive traffic to/from the VLAN, while receiver ports can only receive traffic from the VLAN.

Syntax

show vlan Multicast-tv vlan vlan-id

Parameters

  • vlan-id—Specifies the VLAN ID.

Default Configuration

N/A

Command Mode

User EXEC mode

Example

The following example displays information on the source and receiver ports of Multicast-TV VLAN 1000.

switchxxxxxx# show vlan multicast-tv vlan 1000 Source Ports      Receiver Ports ------------      ---------------------te1/0/3, te1/0/4 te1/0/1-2

vlan prohibit-internal-usage

Use the vlan prohibit-internal-usage command in Global configuration mode to specify VLANs that cannot be used by the switch as internal VLANs.

Syntax

vlan prohibit-internal-usage none | {add | except | remove} vlan-list

Parameters

  • none—The Prohibit Internal Usage VLAN list is empty: any VLAN can be used by the switch as internal.
  • except—The Prohibit Internal Usage VLAN list includes all VLANs except the VLANs specified by the vlan-list argument: only the VLANs specified by the vlan-list argument can be used by the switch as internal.
  • add—Add the given VLANs to the Prohibit Internal Usage VLAN list.
  • remove—Remove the given VLANs from the Prohibit Internal Usage VLAN list.
  • vlan-list—List of VLAN. Separate nonconsecutive VLAN IDs with a comma and no spaces. Use a hyphen to designate a range of IDs. The VLAN ID that can be used is from 1 through 4094.

Default Configuration

The Prohibit Internal usage VLAN list is empty.

Command Mode

Global Configuration mode

User Guidelines

The switch requires an internal VLAN in the following cases:

  • One VLAN for each IP interface is defined directly on an Ethernet port or on a Port channel.
  • One VLAN for each IPv6 tunnel.
  • One VLAN for 802.1x.

When a switch needs an internal VLAN it takes a free VLAN with the highest VLAN ID.

Use the vlan prohibit-internal-usage command to define a list of VLANs that cannot be used as internal VLANs after reload.

If a VLAN was chosen by the software for internal usage, but you want to use that VLAN for a static or dynamic VLAN, do one of the following

  • Add the VLAN to the Prohibited User Reserved VLAN list.
  • Copy the Running Configuration file to the Startup Configuration file
  • Reload the switch
  • Create the VLAN

Examples

Example 1—The following example specifies that VLANs 4010, 4012, and 4090-4094 cannot be used as internal VLANs:

vlan prohibit-internal-usage add 4010,4012,4090-4094

Example 2—The following specifies that all VLANs except 4000-4107 cannot be used as internal VLANs:

vlan prohibit-internal-usage all vlan prohibit-internal-usage remove 4000-4107

Example 3—The following specifies that all VLANs except 4000-4107 cannot be used as internal VLANs:

vlan prohibit-internal-usage 4000-4107

show vlan internal usage

Use the show vlan internal usage Privileged EXEC mode command to display a list of VLANs used internally by the device (defined by the user).

Syntax

show vlan internal usage

Parameters

N/A

Default Configuration

N/A

Command Mode

Privileged EXEC mode

Example

The following example displays VLANs used internally by the switch:

show vlan internal usage
 
User Reserved VLAN list after reset: 4010,4012,4080-4094
 
Current User Reserved VLAN list: 4010,4012,4090-4094
 
VLAN   Usage
 
----   --------
 
4089   te1/0/2
 
4088   te1/0/3
 
4087   tunnel 1
 
4086   802.1x

Was this article helpful?

Yes No

Related Articles

Leave A Comment?